Merging Duplicate Items Identified by a Vulnerability Analysis

ABSTRACT

An embodiment may involve a plurality of configuration items and an unmatched configuration item, wherein the unmatched configuration item is associated with a first set of attribute values and a first vulnerability, wherein the first vulnerability is associated with a first set of field values. The embodiment may further involve one or more processors configured to: (i) determine that the unmatched configuration item and a particular configuration item both represent a specific component, wherein the particular configuration item is associated with a second set of attribute values and a second vulnerability, wherein the second vulnerability is associated with a second set of field values; (ii) merge the unmatched configuration item into the particular configuration item; (iii) determine that the first vulnerability and the second vulnerability both represent a specific vulnerability; (iv) merge the first vulnerability into the second vulnerability; and (v) delete the unmatched configuration item and the first vulnerability.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority to U.S. Pat.Application No. 17/888,718, filed Aug. 16, 2022, which is herebyincorporated by reference in its entirety

U.S. Pat. Application No. 17/888,718 is a continuation of and claimspriority to U.S. Pat. Application No. 16/902,996, filed Jun. 16, 2020,which is hereby incorporated by reference in its entirety.

BACKGROUND

A remote network management platform may be used to discover orotherwise identify configuration items in a managed network. Theseconfiguration items may represent hardware components, softwarecomponents executable thereon, services provided by one or more of thesecomponents, and/or other information. Discovered configuration items maybe stored as entries in a configuration management database (CMDB). Forsake of simplicity, a “discovered” configuration item herein may be aconfiguration item that was provided to the CMDB by discovery processes,hardware or software asset management processes, a purchase managementprocess, or manually, for example.

Additionally, vulnerability detection tools may perform vulnerabilityanalyses on the managed network. Such tools may scan the hardware and/orsoftware components to identify vulnerabilities. These vulnerabilitiesmay be defects in hardware, operating systems, and/or software packagesthat can be exploited to gain unauthorized access to certain informationon the managed network or to cause one or more components of the managednetwork to behave in an undesirable fashion. Vulnerability detectiontools may store their findings as vulnerable items, which identifycombinations of vulnerabilities and the configuration items on whichthese vulnerabilities were found. A vulnerability may be specified byvalues of a number of fields associated therewith.

Due to differences in how the remote network management platformperforms discovery and how vulnerability detection tools identifyconfiguration items, vulnerability detection tools may representconfiguration items differently than how they are represented bydiscovery applications or other applications. For example, configurationitems generated by vulnerability detection tools may have differentattribute values than those generated by discovery applications.

This can lead to a number of problems, including multiple configurationitems in the CMDB characterized as being different when they actuallyrepresent the same component. This can be confusing and can causeunnecessary delays when resolving the identified vulnerabilities.Further, the CMDB can become cluttered with duplicate configurationitems, wasting memory with redundant information.

SUMMARY

The embodiments herein overcome these and other problems by providingrule-based techniques for merging duplicate configuration items andduplicate vulnerabilities. Such techniques may involve three related butseparable steps.

First, duplicate configuration items are identified in the CMDB. Thismay involve determining that an unmatched configuration item found by avulnerability detection tool matches a discovered configuration item.Various matching algorithms may be used, from displaying similarconfiguration items and having users manually specifying matches tomachine learning techniques that automatically or semi-automaticallyidentify matches. The exact procedure used for this step is beyond thescope of this document.

Second, duplicate configuration items identified by the first step maybe merged. This can involve copying values of attributes from theunmatched configuration item found by the vulnerability detection toolinto the discovered configuration item. During this process, preferencemay be given to any non-default or non-empty values already populated inthe attributes of the discovered configuration item. Further, anyvulnerabilities that refer to the unmatched configuration item are madeto refer to the discovered configuration item. Then, the unmatchedconfiguration item can be deleted.

Third, the vulnerabilities referring the discovered configuration item(which now incorporates information merged from the unmatchedconfiguration item) are considered. Any two vulnerabilities referring tothis configuration item and representing the same vulnerability may bemerged. These vulnerabilities may be defined by a set of fields withassociated values. Thus, the merging process may apply different rulesper field type (e.g., system-defined, user-defined, orapplication-defined) and/or on a per-field basis.

While the above discussion focuses on merging a pair of configurationitems and then a pair of vulnerabilities, multiple configuration itemsand vulnerabilities can be merged. Any number of configuration items maybe merged by applying pair-wise merging to a first two configurationitems to form a merged configuration item, then applying pair-wisemerging to a third configuration item and the merged configuration item,and so on. Likewise, any number of vulnerabilities per configurationitem may be merged by applying pair-wise merging to a first twovulnerabilities to form a merged vulnerability, then applying pair-wisemerging to a third vulnerability and the merged vulnerability, and soon.

Accordingly, a first example embodiment may involve persistent storagecontaining a plurality of configuration items and an unmatchedconfiguration item, wherein the unmatched configuration item isassociated with a first set of attribute values and a firstvulnerability, and wherein the first vulnerability is associated with afirst set of field values. The first example embodiment may furtherinvolve one or more processors configured to: (i) determine that theunmatched configuration item and a particular configuration item fromthe plurality of configuration items both represent a specific componentof a managed network, wherein the particular configuration item isassociated with a second set of attribute values and a secondvulnerability, and wherein the second vulnerability is associated with asecond set of field values; (ii) merge the unmatched configuration iteminto the particular configuration item, wherein preference is given tomodified values of the second set of attribute values over correspondingvalues of the first set of attribute values; (iii) determine that thefirst vulnerability and the second vulnerability both represent aspecific vulnerability of the specific component; (iv) merge the firstvulnerability into the second vulnerability based on rules that considercontent and types of the first set of field values and the second set offield values; and (v) delete the unmatched configuration item and thefirst vulnerability from the persistent storage.

A second example embodiment may involve determining that an unmatchedconfiguration item and a particular configuration item both represent aspecific component of a managed network, wherein the unmatchedconfiguration item is associated with a first set of attribute valuesand a first vulnerability, wherein the first vulnerability is associatedwith a first set of field values, wherein the particular configurationitem is associated with a second set of attribute values and a secondvulnerability, and wherein the second vulnerability is associated with asecond set of field values. The second example embodiment may furtherinvolve merging the unmatched configuration item into the particularconfiguration item, wherein preference is given to modified values ofthe second set of attribute values over corresponding values of thefirst set of attribute values. The second example embodiment may furtherinvolve determining that the first vulnerability and the secondvulnerability both represent a specific vulnerability of the specificcomponent. The second example embodiment may further involve merging thefirst vulnerability into the second vulnerability based on rules thatconsider content and types of the first set of field values and thesecond set of field values. The second example embodiment may furtherinvolve deleting the unmatched configuration item and the firstvulnerability.

In a third example embodiment, an article of manufacture may include anon-transitory computer-readable medium, having stored thereon programinstructions that, upon execution by a computing system, cause thecomputing system to perform operations in accordance with the firstand/or second example embodiment.

In a fourth example embodiment, a computing system may include at leastone processor, as well as memory and program instructions. The programinstructions may be stored in the memory, and upon execution by the atleast one processor, cause the computing system to perform operations inaccordance with the first and/or second example embodiment.

In a fifth example embodiment, a system may include various means forcarrying out each of the operations of the first and/or second exampleembodiment.

These, as well as other embodiments, aspects, advantages, andalternatives, will become apparent to those of ordinary skill in the artby reading the following detailed description, with reference whereappropriate to the accompanying drawings. Further, this summary andother descriptions and figures provided herein are intended toillustrate embodiments by way of example only and, as such, thatnumerous variations are possible. For instance, structural elements andprocess steps can be rearranged, combined, distributed, eliminated, orotherwise changed, while remaining within the scope of the embodimentsas claimed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a schematic drawing of a computing device, inaccordance with example embodiments.

FIG. 2 illustrates a schematic drawing of a server device cluster, inaccordance with example embodiments.

FIG. 3 depicts a remote network management architecture, in accordancewith example embodiments.

FIG. 4 depicts a communication environment involving a remote networkmanagement architecture, in accordance with example embodiments.

FIG. 5A depicts another communication environment involving a remotenetwork management architecture, in accordance with example embodiments.

FIG. 5B is a flow chart, in accordance with example embodiments.

FIG. 6 depicts a vulnerability management architecture, in accordancewith example embodiments.

FIG. 7A depicts an arrangement of configuration items, in accordancewith example embodiments.

FIG. 7B depicts the arrangement of configuration items from FIG. 7Aafter merge operations, in accordance with example embodiments.

FIG. 8 is a set of rules for merging duplicate configuration items, inaccordance with example embodiments.

FIG. 9 depicts a table of rules for merging vulnerability fields, inaccordance with example embodiments.

FIG. 10 depicts a table of rules for merging a state field, inaccordance with example embodiments.

FIG. 11 is a flow chart, in accordance with example embodiments.

DETAILED DESCRIPTION

Example methods, devices, and systems are described herein. It should beunderstood that the words “example” and “exemplary” are used herein tomean “serving as an example, instance, or illustration.” Any embodimentor feature described herein as being an “example” or “exemplary” is notnecessarily to be construed as preferred or advantageous over otherembodiments or features unless stated as such. Thus, other embodimentscan be utilized and other changes can be made without departing from thescope of the subject matter presented herein.

Accordingly, the example embodiments described herein are not meant tobe limiting. It will be readily understood that the aspects of thepresent disclosure, as generally described herein, and illustrated inthe figures, can be arranged, substituted, combined, separated, anddesigned in a wide variety of different configurations. For example, theseparation of features into “client” and “server” components may occurin a number of ways.

Further, unless context suggests otherwise, the features illustrated ineach of the figures may be used in combination with one another. Thus,the figures should be generally viewed as component aspects of one ormore overall embodiments, with the understanding that not allillustrated features are necessary for each embodiment.

Additionally, any enumeration of elements, blocks, or steps in thisspecification or the claims is for purposes of clarity. Thus, suchenumeration should not be interpreted to require or imply that theseelements, blocks, or steps adhere to a particular arrangement or arecarried out in a particular order.

I. Introduction

A large enterprise is a complex entity with many interrelatedoperations. Some of these are found across the enterprise, such as humanresources (HR), supply chain, information technology (IT), and finance.However, each enterprise also has its own unique operations that provideessential capabilities and/or create competitive advantages.

To support widely-implemented operations, enterprises typically useoff-the-shelf software applications, such as customer relationshipmanagement (CRM) and human capital management (HCM) packages. However,they may also need custom software applications to meet their own uniquerequirements. A large enterprise often has dozens or hundreds of thesecustom software applications. Nonetheless, the advantages provided bythe embodiments herein are not limited to large enterprises and may beapplicable to an enterprise, or any other type of organization, of anysize.

Many such software applications are developed by individual departmentswithin the enterprise. These range from simple spreadsheets tocustom-built software tools and databases. But the proliferation ofsiloed custom software applications has numerous disadvantages. Itnegatively impacts an enterprise’s ability to run and grow itsoperations, innovate, and meet regulatory requirements. The enterprisemay find it difficult to integrate, streamline, and enhance itsoperations due to lack of a single system that unifies its subsystemsand data.

To efficiently create custom applications, enterprises would benefitfrom a remotely-hosted application platform that eliminates unnecessarydevelopment complexity. The goal of such a platform would be to reducetime-consuming, repetitive application development tasks so thatsoftware engineers and individuals in other roles can focus ondeveloping unique, high-value features.

In order to achieve this goal, the concept of Application Platform as aService (aPaaS) is introduced, to intelligently automate workflowsthroughout the enterprise. An aPaaS system is hosted remotely from theenterprise, but may access data, applications, and services within theenterprise by way of secure connections. Such an aPaaS system may have anumber of advantageous capabilities and characteristics. Theseadvantages and characteristics may be able to improve the enterprise’soperations and workflows for IT, HR, CRM, customer service, applicationdevelopment, and security.

The aPaaS system may support development and execution ofmodel-view-controller (MVC) applications. MVC applications divide theirfunctionality into three interconnected parts (model, view, andcontroller) in order to isolate representations of information from themanner in which the information is presented to the user, therebyallowing for efficient code reuse and parallel development. Theseapplications may be web-based, and offer create, read, update, anddelete (CRUD) capabilities. This allows new applications to be built ona common application infrastructure.

The aPaaS system may support standardized application components, suchas a standardized set of widgets for graphical user interface (GUI)development. In this way, applications built using the aPaaS system havea common look and feel. Other software components and modules may bestandardized as well. In some cases, this look and feel can be brandedor skinned with an enterprise’s custom logos and/or color schemes.

The aPaaS system may support the ability to configure the behavior ofapplications using metadata. This allows application behaviors to berapidly adapted to meet specific needs. Such an approach reducesdevelopment time and increases flexibility. Further, the aPaaS systemmay support GUI tools that facilitate metadata creation and management,thus reducing errors in the metadata.

The aPaaS system may support clearly-defined interfaces betweenapplications, so that software developers can avoid unwantedinter-application dependencies. Thus, the aPaaS system may implement aservice layer in which persistent state information and other data arestored.

The aPaaS system may support a rich set of integration features so thatthe applications thereon can interact with legacy applications andthird-party applications. For instance, the aPaaS system may support acustom employee-onboarding system that integrates with legacy HR, IT,and accounting systems.

The aPaaS system may support enterprise-grade security. Furthermore,since the aPaaS system may be remotely hosted, it should also utilizesecurity procedures when it interacts with systems in the enterprise orthird-party networks and services hosted outside of the enterprise. Forexample, the aPaaS system may be configured to share data amongst theenterprise and other parties to detect and identify common securitythreats.

Other features, functionality, and advantages of an aPaaS system mayexist. This description is for purpose of example and is not intended tobe limiting.

As an example of the aPaaS development process, a software developer maybe tasked to create a new application using the aPaaS system. First, thedeveloper may define the data model, which specifies the types of datathat the application uses and the relationships therebetween. Then, viaa GUI of the aPaaS system, the developer enters (e.g., uploads) the datamodel. The aPaaS system automatically creates all of the correspondingdatabase tables, fields, and relationships, which can then be accessedvia an object-oriented services layer.

In addition, the aPaaS system can also build a fully-functional MVCapplication with client-side interfaces and server-side CRUD logic. Thisgenerated application may serve as the basis of further development forthe user. Advantageously, the developer does not have to spend a largeamount of time on basic application functionality. Further, since theapplication may be web-based, it can be accessed from anyInternet-enabled client device. Alternatively or additionally, a localcopy of the application may be able to be accessed, for instance, whenInternet service is not available.

The aPaaS system may also support a rich set of pre-definedfunctionality that can be added to applications. These features includesupport for searching, email, templating, workflow design, reporting,analytics, social media, scripting, mobile-friendly output, andcustomized GUIs.

Such an aPaaS system may represent a GUI in various ways. For example, aserver device of the aPaaS system may generate a representation of a GUIusing a combination of HTML and JAVASCRIPT®. The JAVASCRIPT® may includeclient-side executable code, server-side executable code, or both. Theserver device may transmit or otherwise provide this representation to aclient device for the client device to display on a screen according toits locally-defined look and feel. Alternatively, a representation of aGUI may take other forms, such as an intermediate form (e.g., JAVA®byte-code) that a client device can use to directly generate graphicaloutput therefrom. Other possibilities exist.

Further, user interaction with GUI elements, such as buttons, menus,tabs, sliders, checkboxes, toggles, etc. may be referred to as“selection”, “activation”, or “actuation” thereof. These terms may beused regardless of whether the GUI elements are interacted with by wayof keyboard, pointing device, touchscreen, or another mechanism.

An aPaaS architecture is particularly powerful when integrated with anenterprise’s network and used to manage such a network. The followingembodiments describe architectural and functional aspects of exampleaPaaS systems, as well as the features and advantages thereof.

II. Example Computing Devices and Cloud-Based Computing Environments

FIG. 1 is a simplified block diagram exemplifying a computing device100, illustrating some of the components that could be included in acomputing device arranged to operate in accordance with the embodimentsherein. Computing device 100 could be a client device (e.g., a deviceactively operated by a user), a server device (e.g., a device thatprovides computational services to client devices), or some other typeof computational platform. Some server devices may operate as clientdevices from time to time in order to perform particular operations, andsome client devices may incorporate server features.

In this example, computing device 100 includes processor 102, memory104, network interface 106, and input / output unit 108, all of whichmay be coupled by system bus 110 or a similar mechanism. In someembodiments, computing device 100 may include other components and/orperipheral devices (e.g., detachable storage, printers, and so on).

Processor 102 may be one or more of any type of computer processingelement, such as a central processing unit (CPU), a co-processor (e.g.,a mathematics, graphics, or encryption co-processor), a digital signalprocessor (DSP), a network processor, and/or a form of integratedcircuit or controller that performs processor operations. In some cases,processor 102 may be one or more single-core processors. In other cases,processor 102 may be one or more multi-core processors with multipleindependent processing units. Processor 102 may also include registermemory for temporarily storing instructions being executed and relateddata, as well as cache memory for temporarily storing recently-usedinstructions and data.

Memory 104 may be any form of computer-usable memory, including but notlimited to random access memory (RAM), read-only memory (ROM), andnon-volatile memory (e.g., flash memory, hard disk drives, solid statedrives, compact discs (CDs), digital video discs (DVDs), and/or tapestorage). Thus, memory 104 represents both main memory units, as well aslong-term storage. Other types of memory may include biological memory.

Memory 104 may store program instructions and/or data on which programinstructions may operate. By way of example, memory 104 may store theseprogram instructions on a non-transitory, computer-readable medium, suchthat the instructions are executable by processor 102 to carry out anyof the methods, processes, or operations disclosed in this specificationor the accompanying drawings.

As shown in FIG. 1 , memory 104 may include firmware 104A, kernel 104B,and/or applications 104C. Firmware 104A may be program code used to bootor otherwise initiate some or all of computing device 100. Kernel 104Bmay be an operating system, including modules for memory management,scheduling and management of processes, input / output, andcommunication. Kernel 104B may also include device drivers that allowthe operating system to communicate with the hardware modules (e.g.,memory units, networking interfaces, ports, and buses) of computingdevice 100. Applications 104C may be one or more user-space softwareprograms, such as web browsers or email clients, as well as any softwarelibraries used by these programs. Memory 104 may also store data used bythese and other programs and applications.

Network interface 106 may take the form of one or more wirelineinterfaces, such as Ethernet (e.g., Fast Ethernet, Gigabit Ethernet, andso on). Network interface 106 may also support communication over one ormore non-Ethernet media, such as coaxial cables or power lines, or overwide-area media, such as Synchronous Optical Networking (SONET) ordigital subscriber line (DSL) technologies. Network interface 106 mayadditionally take the form of one or more wireless interfaces, such asIEEE 802.11 (Wifi), BLUETOOTH®, global positioning system (GPS), or awide-area wireless interface. However, other forms of physical layerinterfaces and other types of standard or proprietary communicationprotocols may be used over network interface 106. Furthermore, networkinterface 106 may comprise multiple physical interfaces. For instance,some embodiments of computing device 100 may include Ethernet,BLUETOOTH®, and Wifi interfaces.

Input / output unit 108 may facilitate user and peripheral deviceinteraction with computing device 100. Input / output unit 108 mayinclude one or more types of input devices, such as a keyboard, a mouse,a touch screen, and so on. Similarly, input / output unit 108 mayinclude one or more types of output devices, such as a screen, monitor,printer, and/or one or more light emitting diodes (LEDs). Additionallyor alternatively, computing device 100 may communicate with otherdevices using a universal serial bus (USB) or high-definition multimediainterface (HDMI) port interface, for example.

In some embodiments, one or more computing devices like computing device100 may be deployed to support an aPaaS architecture. The exact physicallocation, connectivity, and configuration of these computing devices maybe unknown and/or unimportant to client devices. Accordingly, thecomputing devices may be referred to as “cloud-based” devices that maybe housed at various remote data center locations.

FIG. 2 depicts a cloud-based server cluster 200 in accordance withexample embodiments. In FIG. 2 , operations of a computing device (e.g.,computing device 100) may be distributed between server devices 202,data storage 204, and routers 206, all of which may be connected bylocal cluster network 208. The number of server devices 202, datastorages 204, and routers 206 in server cluster 200 may depend on thecomputing task(s) and/or applications assigned to server cluster 200.

For example, server devices 202 can be configured to perform variouscomputing tasks of computing device 100. Thus, computing tasks can bedistributed among one or more of server devices 202. To the extent thatthese computing tasks can be performed in parallel, such a distributionof tasks may reduce the total time to complete these tasks and return aresult. For purposes of simplicity, both server cluster 200 andindividual server devices 202 may be referred to as a “server device.”This nomenclature should be understood to imply that one or moredistinct server devices, data storage devices, and cluster routers maybe involved in server device operations.

Data storage 204 may be data storage arrays that include drive arraycontrollers configured to manage read and write access to groups of harddisk drives and/or solid state drives. The drive array controllers,alone or in conjunction with server devices 202, may also be configuredto manage backup or redundant copies of the data stored in data storage204 to protect against drive failures or other types of failures thatprevent one or more of server devices 202 from accessing units of datastorage 204. Other types of memory aside from drives may be used.

Routers 206 may include networking equipment configured to provideinternal and external communications for server cluster 200. Forexample, routers 206 may include one or more packet-switching and/orrouting devices (including switches and/or gateways) configured toprovide (i) network communications between server devices 202 and datastorage 204 via local cluster network 208, and/or (ii) networkcommunications between server cluster 200 and other devices viacommunication link 210 to network 212.

Additionally, the configuration of routers 206 can be based at least inpart on the data communication requirements of server devices 202 anddata storage 204, the latency and throughput of the local clusternetwork 208, the latency, throughput, and cost of communication link210, and/or other factors that may contribute to the cost, speed,fault-tolerance, resiliency, efficiency, and/or other design goals ofthe system architecture.

As a possible example, data storage 204 may include any form ofdatabase, such as a structured query language (SQL) database. Varioustypes of data structures may store the information in such a database,including but not limited to tables, arrays, lists, trees, and tuples.Furthermore, any databases in data storage 204 may be monolithic ordistributed across multiple physical devices.

Server devices 202 may be configured to transmit data to and receivedata from data storage 204. This transmission and retrieval may take theform of SQL queries or other types of database queries, and the outputof such queries, respectively. Additional text, images, video, and/oraudio may be included as well. Furthermore, server devices 202 mayorganize the received data into web page or web applicationrepresentations. Such a representation may take the form of a markuplanguage, such as the hypertext markup language (HTML), the extensiblemarkup language (XML), or some other standardized or proprietary format.Moreover, server devices 202 may have the capability of executingvarious types of computerized scripting languages, such as but notlimited to Perl, Python, PHP Hypertext Preprocessor (PHP), Active ServerPages (ASP), JAVASCRIPT®, and so on. Computer program code written inthese languages may facilitate the providing of web pages to clientdevices, as well as client device interaction with the web pages.Alternatively or additionally, JAVA® may be used to facilitategeneration of web pages and/or to provide web application functionality.

III. Example Remote Network Management Architecture

FIG. 3 depicts a remote network management architecture, in accordancewith example embodiments. This architecture includes three maincomponents — managed network 300, remote network management platform320, and public cloud networks 340 — all connected by way of Internet350.

A. Managed Networks

Managed network 300 may be, for example, an enterprise network used byan entity for computing and communications tasks, as well as storage ofdata. Thus, managed network 300 may include client devices 302, serverdevices 304, routers 306, virtual machines 308, firewall 310, and/orproxy servers 312. Client devices 302 may be embodied by computingdevice 100, server devices 304 may be embodied by computing device 100or server cluster 200, and routers 306 may be any type of router,switch, or gateway.

Virtual machines 308 may be embodied by one or more of computing device100 or server cluster 200. In general, a virtual machine is an emulationof a computing system, and mimics the functionality (e.g., processor,memory, and communication resources) of a physical computer. Onephysical computing system, such as server cluster 200, may support up tothousands of individual virtual machines. In some embodiments, virtualmachines 308 may be managed by a centralized server device orapplication that facilitates allocation of physical computing resourcesto individual virtual machines, as well as performance and errorreporting. Enterprises often employ virtual machines in order toallocate computing resources in an efficient, as needed fashion.Providers of virtualized computing systems include VMWARE® andMICROSOFT®.

Firewall 310 may be one or more specialized routers or server devicesthat protect managed network 300 from unauthorized attempts to accessthe devices, applications, and services therein, while allowingauthorized communication that is initiated from managed network 300.Firewall 310 may also provide intrusion detection, web filtering, virusscanning, application-layer gateways, and other applications orservices. In some embodiments not shown in FIG. 3 , managed network 300may include one or more virtual private network (VPN) gateways withwhich it communicates with remote network management platform 320 (seebelow).

Managed network 300 may also include one or more proxy servers 312. Anembodiment of proxy servers 312 may be a server application thatfacilitates communication and movement of data between managed network300, remote network management platform 320, and public cloud networks340. In particular, proxy servers 312 may be able to establish andmaintain secure communication sessions with one or more computationalinstances of remote network management platform 320. By way of such asession, remote network management platform 320 may be able to discoverand manage aspects of the architecture and configuration of managednetwork 300 and its components. Possibly with the assistance of proxyservers 312, remote network management platform 320 may also be able todiscover and manage aspects of public cloud networks 340 that are usedby managed network 300.

Firewalls, such as firewall 310, typically deny all communicationsessions that are incoming by way of Internet 350, unless such a sessionwas ultimately initiated from behind the firewall (i.e., from a deviceon managed network 300) or the firewall has been explicitly configuredto support the session. By placing proxy servers 312 behind firewall 310(e.g., within managed network 300 and protected by firewall 310), proxyservers 312 may be able to initiate these communication sessions throughfirewall 310. Thus, firewall 310 might not have to be specificallyconfigured to support incoming sessions from remote network managementplatform 320, thereby avoiding potential security risks to managednetwork 300.

In some cases, managed network 300 may consist of a few devices and asmall number of networks. In other deployments, managed network 300 mayspan multiple physical locations and include hundreds of networks andhundreds of thousands of devices. Thus, the architecture depicted inFIG. 3 is capable of scaling up or down by orders of magnitude.

Furthermore, depending on the size, architecture, and connectivity ofmanaged network 300, a varying number of proxy servers 312 may bedeployed therein. For example, each one of proxy servers 312 may beresponsible for communicating with remote network management platform320 regarding a portion of managed network 300. Alternatively oradditionally, sets of two or more proxy servers may be assigned to sucha portion of managed network 300 for purposes of load balancing,redundancy, and/or high availability.

B. Remote Network Management Platforms

Remote network management platform 320 is a hosted environment thatprovides aPaaS services to users, particularly to the operator ofmanaged network 300. These services may take the form of web-basedportals, for example, using the aforementioned web-based technologies.Thus, a user can securely access remote network management platform 320from, for example, client devices 302, or potentially from a clientdevice outside of managed network 300. By way of the web-based portals,users may design, test, and deploy applications, generate reports, viewanalytics, and perform other tasks.

As shown in FIG. 3 , remote network management platform 320 includesfour computational instances 322, 324, 326, and 328. Each of thesecomputational instances may represent one or more server nodes operatingdedicated copies of the aPaaS software and/or one or more databasenodes. The arrangement of server and database nodes on physical serverdevices and/or virtual machines can be flexible and may vary based onenterprise needs. In combination, these nodes may provide a set of webportals, services, and applications (e.g., a wholly-functioning aPaaSsystem) available to a particular enterprise. In some cases, a singleenterprise may use multiple computational instances.

For example, managed network 300 may be an enterprise customer of remotenetwork management platform 320, and may use computational instances322, 324, and 326. The reason for providing multiple computationalinstances to one customer is that the customer may wish to independentlydevelop, test, and deploy its applications and services. Thus,computational instance 322 may be dedicated to application developmentrelated to managed network 300, computational instance 324 may bededicated to testing these applications, and computational instance 326may be dedicated to the live operation of tested applications andservices. A computational instance may also be referred to as a hostedinstance, a remote instance, a customer instance, or by some otherdesignation. Any application deployed onto a computational instance maybe a scoped application, in that its access to databases within thecomputational instance can be restricted to certain elements therein(e.g., one or more particular database tables or particular rows withinone or more database tables).

For purposes of clarity, the disclosure herein refers to the arrangementof application nodes, database nodes, aPaaS software executing thereon,and underlying hardware as a “computational instance.” Note that usersmay colloquially refer to the graphical user interfaces provided therebyas “instances.” But unless it is defined otherwise herein, a“computational instance” is a computing system disposed within remotenetwork management platform 320.

The multi-instance architecture of remote network management platform320 is in contrast to conventional multi-tenant architectures, overwhich multi-instance architectures exhibit several advantages. Inmulti-tenant architectures, data from different customers (e.g.,enterprises) are comingled in a single database. While these customers’data are separate from one another, the separation is enforced by thesoftware that operates the single database. As a consequence, a securitybreach in this system may impact all customers’ data, creatingadditional risk, especially for entities subject to governmental,healthcare, and/or financial regulation. Furthermore, any databaseoperations that impact one customer will likely impact all customerssharing that database. Thus, if there is an outage due to hardware orsoftware errors, this outage affects all such customers. Likewise, ifthe database is to be upgraded to meet the needs of one customer, itwill be unavailable to all customers during the upgrade process. Often,such maintenance windows will be long, due to the size of the shareddatabase.

In contrast, the multi-instance architecture provides each customer withits own database in a dedicated computing instance. This preventscomingling of customer data, and allows each instance to beindependently managed. For example, when one customer’s instanceexperiences an outage due to errors or an upgrade, other computationalinstances are not impacted. Maintenance down time is limited because thedatabase only contains one customer’s data. Further, the simpler designof the multi-instance architecture allows redundant copies of eachcustomer database and instance to be deployed in a geographicallydiverse fashion. This facilitates high availability, where the liveversion of the customer’s instance can be moved when faults are detectedor maintenance is being performed.

In some embodiments, remote network management platform 320 may includeone or more central instances, controlled by the entity that operatesthis platform. Like a computational instance, a central instance mayinclude some number of application and database nodes disposed upon somenumber of physical server devices or virtual machines. Such a centralinstance may serve as a repository for specific configurations ofcomputational instances as well as data that can be shared amongst atleast some of the computational instances. For instance, definitions ofcommon security threats that could occur on the computational instances,software packages that are commonly discovered on the computationalinstances, and/or an application store for applications that can bedeployed to the computational instances may reside in a centralinstance. Computational instances may communicate with central instancesby way of well-defined interfaces in order to obtain this data.

In order to support multiple computational instances in an efficientfashion, remote network management platform 320 may implement aplurality of these instances on a single hardware platform. For example,when the aPaaS system is implemented on a server cluster such as servercluster 200, it may operate virtual machines that dedicate varyingamounts of computational, storage, and communication resources toinstances. But full virtualization of server cluster 200 might not benecessary, and other mechanisms may be used to separate instances. Insome examples, each instance may have a dedicated account and one ormore dedicated databases on server cluster 200. Alternatively, acomputational instance such as computational instance 322 may spanmultiple physical devices.

In some cases, a single server cluster of remote network managementplatform 320 may support multiple independent enterprises. Furthermore,as described below, remote network management platform 320 may includemultiple server clusters deployed in geographically diverse data centersin order to facilitate load balancing, redundancy, and/or highavailability.

C. Public Cloud Networks

Public cloud networks 340 may be remote server devices (e.g., aplurality of server clusters such as server cluster 200) that can beused for outsourced computation, data storage, communication, andservice hosting operations. These servers may be virtualized (i.e., theservers may be virtual machines). Examples of public cloud networks 340may include AMAZON WEB SERVICES® and MICROSOFT® AZURE®. Like remotenetwork management platform 320, multiple server clusters supportingpublic cloud networks 340 may be deployed at geographically diverselocations for purposes of load balancing, redundancy, and/or highavailability.

Managed network 300 may use one or more of public cloud networks 340 todeploy applications and services to its clients and customers. Forinstance, if managed network 300 provides online music streamingservices, public cloud networks 340 may store the music files andprovide web interface and streaming capabilities. In this way, theenterprise of managed network 300 does not have to build and maintainits own servers for these operations.

Remote network management platform 320 may include modules thatintegrate with public cloud networks 340 to expose virtual machines andmanaged services therein to managed network 300. The modules may allowusers to request virtual resources, discover allocated resources, andprovide flexible reporting for public cloud networks 340. In order toestablish this functionality, a user from managed network 300 mightfirst establish an account with public cloud networks 340, and request aset of associated resources. Then, the user may enter the accountinformation into the appropriate modules of remote network managementplatform 320. These modules may then automatically discover themanageable resources in the account, and also provide reports related tousage, performance, and billing.

D. Communication Support and Other Operations

Internet 350 may represent a portion of the global Internet. However,Internet 350 may alternatively represent a different type of network,such as a private wide-area or local-area packet-switched network.

FIG. 4 further illustrates the communication environment between managednetwork 300 and computational instance 322, and introduces additionalfeatures and alternative embodiments. In FIG. 4 , computational instance322 is replicated across data centers 400A and 400B. These data centersmay be geographically distant from one another, perhaps in differentcities or different countries. Each data center includes supportequipment that facilitates communication with managed network 300, aswell as remote users.

In data center 400A, network traffic to and from external devices flowseither through VPN gateway 402A or firewall 404A. VPN gateway 402A maybe peered with VPN gateway 412 of managed network 300 by way of asecurity protocol such as Internet Protocol Security (IPSEC) orTransport Layer Security (TLS). Firewall 404A may be configured to allowaccess from authorized users, such as user 414 and remote user 416, andto deny access to unauthorized users. By way of firewall 404A, theseusers may access computational instance 322, and possibly othercomputational instances. Load balancer 406A may be used to distributetraffic amongst one or more physical or virtual server devices that hostcomputational instance 322. Load balancer 406A may simplify user accessby hiding the internal configuration of data center 400A, (e.g.,computational instance 322) from client devices. For instance, ifcomputational instance 322 includes multiple physical or virtualcomputing devices that share access to multiple databases, load balancer406A may distribute network traffic and processing tasks across thesecomputing devices and databases so that no one computing device ordatabase is significantly busier than the others. In some embodiments,computational instance 322 may include VPN gateway 402A, firewall 404A,and load balancer 406A.

Data center 400B may include its own versions of the components in datacenter 400A. Thus, VPN gateway 402B, firewall 404B, and load balancer406B may perform the same or similar operations as VPN gateway 402A,firewall 404A, and load balancer 406A, respectively. Further, by way ofreal-time or near-real-time database replication and/or otheroperations, computational instance 322 may exist simultaneously in datacenters 400A and 400B.

Data centers 400A and 400B as shown in FIG. 4 may facilitate redundancyand high availability. In the configuration of FIG. 4 , data center 400Ais active and data center 400B is passive. Thus, data center 400A isserving all traffic to and from managed network 300, while the versionof computational instance 322 in data center 400B is being updated innear-real-time. Other configurations, such as one in which both datacenters are active, may be supported.

Should data center 400A fail in some fashion or otherwise becomeunavailable to users, data center 400B can take over as the active datacenter. For example, domain name system (DNS) servers that associate adomain name of computational instance 322 with one or more InternetProtocol (IP) addresses of data center 400A may re-associate the domainname with one or more IP addresses of data center 400B. After thisre-association completes (which may take less than one second or severalseconds), users may access computational instance 322 by way of datacenter 400B.

FIG. 4 also illustrates a possible configuration of managed network 300.As noted above, proxy servers 312 and user 414 may access computationalinstance 322 through firewall 310. Proxy servers 312 may also accessconfiguration items 410. In FIG. 4 , configuration items 410 may referto any or all of client devices 302, server devices 304, routers 306,and virtual machines 308, any applications or services executingthereon, as well as relationships between devices, applications, andservices. Thus, the term “configuration items” may be shorthand for anyphysical or virtual device, or any application or service remotelydiscoverable or managed by computational instance 322, or relationshipsbetween discovered devices, applications, and services. Configurationitems may be represented in a configuration management database (CMDB)of computational instance 322.

As noted above, VPN gateway 412 may provide a dedicated VPN to VPNgateway 402A. Such a VPN may be helpful when there is a significantamount of traffic between managed network 300 and computational instance322, or security policies otherwise suggest or require use of a VPNbetween these sites. In some embodiments, any device in managed network300 and/or computational instance 322 that directly communicates via theVPN is assigned a public IP address. Other devices in managed network300 and/or computational instance 322 may be assigned private IPaddresses (e.g., IP addresses selected from the 10.0.0.0 -10.255.255.255 or 192.168.0.0 - 192.168.255.255 ranges, represented inshorthand as subnets 10.0.0.0/8 and 192.168.0.0/16, respectively).

IV. Example Device, Application, and Service Discovery

In order for remote network management platform 320 to administer thedevices, applications, and services of managed network 300, remotenetwork management platform 320 may first determine what devices arepresent in managed network 300, the configurations and operationalstatuses of these devices, and the applications and services provided bythe devices, as well as the relationships between discovered devices,applications, and services. As noted above, each device, application,service, and relationship may be referred to as a configuration item.The process of defining configuration items within managed network 300is referred to as discovery, and may be facilitated at least in part byproxy servers 312.

For purposes of the embodiments herein, an “application” may refer toone or more processes, threads, programs, client modules, servermodules, or any other software that executes on a device or group ofdevices. A “service” may refer to a high-level capability provided bymultiple applications executing on one or more devices working inconjunction with one another. For example, a high-level web service mayinvolve multiple web application server threads executing on one deviceand accessing information from a database application that executes onanother device.

FIG. 5A provides a logical depiction of how configuration items can bediscovered, as well as how information related to discoveredconfiguration items can be stored. For sake of simplicity, remotenetwork management platform 320, public cloud networks 340, and Internet350 are not shown.

In FIG. 5A, CMDB 500 and task list 502 are stored within computationalinstance 322. Computational instance 322 may transmit discovery commandsto proxy servers 312. In response, proxy servers 312 may transmit probesto various devices, applications, and services in managed network 300.These devices, applications, and services may transmit responses toproxy servers 312, and proxy servers 312 may then provide informationregarding discovered configuration items to CMDB 500 for storagetherein. Configuration items stored in CMDB 500 represent theenvironment of managed network 300.

Task list 502 represents a list of activities that proxy servers 312 areto perform on behalf of computational instance 322. As discovery takesplace, task list 502 is populated. Proxy servers 312 repeatedly querytask list 502, obtain the next task therein, and perform this task untiltask list 502 is empty or another stopping condition has been reached.

To facilitate discovery, proxy servers 312 may be configured withinformation regarding one or more subnets in managed network 300 thatare reachable by way of proxy servers 312. For instance, proxy servers312 may be given the IP address range 192.168.0/24 as a subnet. Then,computational instance 322 may store this information in CMDB 500 andplace tasks in task list 502 for discovery of devices at each of theseaddresses.

FIG. 5A also depicts devices, applications, and services in managednetwork 300 as configuration items 504, 506, 508, 510, and 512. As notedabove, these configuration items represent a set of physical and/orvirtual devices (e.g., client devices, server devices, routers, orvirtual machines), applications executing thereon (e.g., web servers,email servers, databases, or storage arrays), relationshipstherebetween, as well as services that involve multiple individualconfiguration items.

Placing the tasks in task list 502 may trigger or otherwise cause proxyservers 312 to begin discovery. Alternatively or additionally, discoverymay be manually triggered or automatically triggered based on triggeringevents (e.g., discovery may automatically begin once per day at aparticular time).

In general, discovery may proceed in four logical phases: scanning,classification, identification, and exploration. Each phase of discoveryinvolves various types of probe messages being transmitted by proxyservers 312 to one or more devices in managed network 300. The responsesto these probes may be received and processed by proxy servers 312, andrepresentations thereof may be transmitted to CMDB 500. Thus, each phasecan result in more configuration items being discovered and stored inCMDB 500.

In the scanning phase, proxy servers 312 may probe each IP address inthe specified range of IP addresses for open Transmission ControlProtocol (TCP) and/or User Datagram Protocol (UDP) ports to determinethe general type of device. The presence of such open ports at an IPaddress may indicate that a particular application is operating on thedevice that is assigned the IP address, which in turn may identify theoperating system used by the device. For example, if TCP port 135 isopen, then the device is likely executing a WINDOWS® operating system.Similarly, if TCP port 22 is open, then the device is likely executing aUNIX® operating system, such as LINUX®. If UDP port 161 is open, thenthe device may be able to be further identified through the SimpleNetwork Management Protocol (SNMP). Other possibilities exist. Once thepresence of a device at a particular IP address and its open ports havebeen discovered, these configuration items are saved in CMDB 500.

In the classification phase, proxy servers 312 may further probe eachdiscovered device to determine the version of its operating system. Theprobes used for a particular device are based on information gatheredabout the devices during the scanning phase. For example, if a device isfound with TCP port 22 open, a set of UNIX®-specific probes may be used.Likewise, if a device is found with TCP port 135 open, a set ofWINDOWS®-specific probes may be used. For either case, an appropriateset of tasks may be placed in task list 502 for proxy servers 312 tocarry out. These tasks may result in proxy servers 312 logging on, orotherwise accessing information from the particular device. Forinstance, if TCP port 22 is open, proxy servers 312 may be instructed toinitiate a Secure Shell (SSH) connection to the particular device andobtain information about the operating system thereon from particularlocations in the file system. Based on this information, the operatingsystem may be determined. As an example, a UNIX® device with TCP port 22open may be classified as AIX®, HPUX, LINUX®, MACOS®, or SOLARIS®. Thisclassification information may be stored as one or more configurationitems in CMDB 500.

In the identification phase, proxy servers 312 may determine specificdetails about a classified device. The probes used during this phase maybe based on information gathered about the particular devices during theclassification phase. For example, if a device was classified as LINUX®,a set of LINUX®-specific probes may be used. Likewise, if a device wasclassified as WINDOWS® 2012, as a set of WINDOWS®-2012-specific probesmay be used. As was the case for the classification phase, anappropriate set of tasks may be placed in task list 502 for proxyservers 312 to carry out. These tasks may result in proxy servers 312reading information from the particular device, such as basic input /output system (BIOS) information, serial numbers, network interfaceinformation, media access control address(es) assigned to these networkinterface(s), IP address(es) used by the particular device and so on.This identification information may be stored as one or moreconfiguration items in CMDB 500.

In the exploration phase, proxy servers 312 may determine furtherdetails about the operational state of a classified device. The probesused during this phase may be based on information gathered about theparticular devices during the classification phase and/or theidentification phase. Again, an appropriate set of tasks may be placedin task list 502 for proxy servers 312 to carry out. These tasks mayresult in proxy servers 312 reading additional information from theparticular device, such as processor information, memory information,lists of running processes (applications), and so on. Once more, thediscovered information may be stored as one or more configuration itemsin CMDB 500.

Running discovery on a network device, such as a router, may utilizeSNMP. Instead of or in addition to determining a list of runningprocesses or other application-related information, discovery maydetermine additional subnets known to the router and the operationalstate of the router’s network interfaces (e.g., active, inactive, queuelength, number of packets dropped, etc.). The IP addresses of theadditional subnets may be candidates for further discovery procedures.Thus, discovery may progress iteratively or recursively.

Once discovery completes, a snapshot representation of each discovereddevice, application, and service is available in CMDB 500. For example,after discovery, operating system version, hardware configuration, andnetwork configuration details for client devices, server devices, androuters in managed network 300, as well as applications executingthereon, may be stored. This collected information may be presented to auser in various ways to allow the user to view the hardware compositionand operational status of devices, as well as the characteristics ofservices that span multiple devices and applications.

Furthermore, CMDB 500 may include entries regarding dependencies andrelationships between configuration items. More specifically, anapplication that is executing on a particular server device, as well asthe services that rely on this application, may be represented as suchin CMDB 500. For example, suppose that a database application isexecuting on a server device, and that this database application is usedby a new employee onboarding service as well as a payroll service. Thus,if the server device is taken out of operation for maintenance, it isclear that the employee onboarding service and payroll service will beimpacted. Likewise, the dependencies and relationships betweenconfiguration items may be able to represent the services impacted whena particular router fails.

In general, dependencies and relationships between configuration itemsmay be displayed on a web-based interface and represented in ahierarchical fashion. Thus, adding, changing, or removing suchdependencies and relationships may be accomplished by way of thisinterface.

Furthermore, users from managed network 300 may develop workflows thatallow certain coordinated activities to take place across multiplediscovered devices. For instance, an IT workflow might allow the user tochange the common administrator password to all discovered LINUX®devices in a single operation.

In order for discovery to take place in the manner described above,proxy servers 312, CMDB 500, and/or one or more credential stores may beconfigured with credentials for one or more of the devices to bediscovered. Credentials may include any type of information needed inorder to access the devices. These may include userid / password pairs,certificates, and so on. In some embodiments, these credentials may bestored in encrypted fields of CMDB 500. Proxy servers 312 may containthe decryption key for the credentials so that proxy servers 312 can usethese credentials to log on to or otherwise access devices beingdiscovered.

The discovery process is depicted as a flow chart in FIG. 5B. At block520, the task list in the computational instance is populated, forinstance, with a range of IP addresses. At block 522, the scanning phasetakes place. Thus, the proxy servers probe the IP addresses for devicesusing these IP addresses, and attempt to determine the operating systemsthat are executing on these devices. At block 524, the classificationphase takes place. The proxy servers attempt to determine the operatingsystem version of the discovered devices. At block 526, theidentification phase takes place. The proxy servers attempt to determinethe hardware and/or software configuration of the discovered devices. Atblock 528, the exploration phase takes place. The proxy servers attemptto determine the operational state and applications executing on thediscovered devices. At block 530, further editing of the configurationitems representing the discovered devices and applications may takeplace. This editing may be automated and/or manual in nature.

The blocks represented in FIG. 5B are examples. Discovery may be ahighly configurable procedure that can have more or fewer phases, andthe operations of each phase may vary. In some cases, one or more phasesmay be customized, or may otherwise deviate from the exemplarydescriptions above.

In this manner, a remote network management platform may discover andinventory the hardware, software, and services deployed on and providedby the managed network. As noted above, this data may be stored in aCMDB of the associated computational instance as configuration items.For example, individual hardware components (e.g., computing devices,virtual servers, databases, routers, etc.) may be represented ashardware configuration items, while the applications installed and/orexecuting thereon may be represented as software configuration items.

The relationship between a software configuration item installed orexecuting on a hardware configuration item may take various forms, suchas “is hosted on”, “runs on”, or “depends on”. Thus, a databaseapplication installed on a server device may have the relationship “ishosted on” with the server device to indicate that the databaseapplication is hosted on the server device. In some embodiments, theserver device may have a reciprocal relationship of “used by” with thedatabase application to indicate that the server device is used by thedatabase application. These relationships may be automatically foundusing the discovery procedures described above, though it is possible tomanually set relationships as well.

The relationship between a service and one or more softwareconfiguration items may also take various forms. As an example, a webservice may include a web server software configuration item and adatabase application software configuration item, each installed ondifferent hardware configuration items. The web service may have a“depends on” relationship with both of these software configurationitems, while the software configuration items have a “used by”reciprocal relationship with the web service. Services might not be ableto be fully determined by discovery procedures, and instead may rely onservice mapping (e.g., probing configuration files and/or carrying outnetwork traffic analysis to determine service level relationshipsbetween configuration items) and possibly some extent of manualconfiguration.

Regardless of how relationship information is obtained, it can bevaluable for the operation of a managed network. Notably, IT personnelcan quickly determine where certain software applications are deployed,and what configuration items make up a service. This allows for rapidpinpointing of root causes of service outages or degradation. Forexample, if two different services are suffering from slow responsetimes, the CMDB can be queried (perhaps among other activities) todetermine that the root cause is a database application that is used byboth services having high processor utilization. Thus, IT personnel canaddress the database application rather than waste time considering thehealth and performance of other configuration items that make up theservices.

V. CMDB Identification Rules and Reconciliation

A CMDB, such as CMDB 500, provides a repository of configuration items,and when properly provisioned, can take on a key role in higher-layerapplications deployed within or involving a computational instance.These applications may relate to enterprise IT service management,operations management, asset management, configuration management,compliance, and so on.

For example, an IT service management application may use information inthe CMDB to determine applications and services that may be impacted bya component (e.g., a server device) that has malfunctioned, crashed, oris heavily loaded. Likewise, an asset management application may useinformation in the CMDB to determine which hardware and/or softwarecomponents are being used to support particular enterprise applications.As a consequence of the importance of the CMDB, it is desirable for theinformation stored therein to be accurate, consistent, and up to date.

A CMDB may be populated in various ways. As discussed above, a discoveryprocedure may automatically store information related to configurationitems in the CMDB. However, a CMDB can also be populated, as a whole orin part, by manual entry, configuration files, and third-party datasources. Given that multiple data sources may be able to update the CMDBat any time, it is possible that one data source may overwrite entriesof another data source. Also, two data sources may each create slightlydifferent entries for the same configuration item, resulting in a CMDBcontaining duplicate data. When either of these occurrences takes place,they can cause the health and utility of the CMDB to be reduced.

In order to mitigate this situation, these data sources might not writeconfiguration items directly to the CMDB. Instead, they may write to anidentification and reconciliation application programming interface(API). This API may use a set of configurable identification rules thatcan be used to uniquely identify configuration items and determinewhether and how they are written to the CMDB.

In general, an identification rule specifies a set of configuration itemattributes that can be used for this unique identification.Identification rules may also have priorities so that rules with higherpriorities are considered before rules with lower priorities.Additionally, a rule may be independent, in that the rule identifiesconfiguration items independently of other configuration items.Alternatively, the rule may be dependent, in that the rule first uses ametadata rule to identify a dependent configuration item.

Metadata rules describe which other configuration items are containedwithin a particular configuration item, or the host on which aparticular configuration item is deployed. For example, a networkdirectory service configuration item may contain a domain controllerconfiguration item, while a web server application configuration itemmay be hosted on a server device configuration item.

A goal of each identification rule is to use a combination of attributesthat can unambiguously distinguish a configuration item from all otherconfiguration items, and is expected not to change during the lifetimeof the configuration item. Some possible attributes for an exampleserver device may include serial number, location, operating system,operating system version, memory capacity, and so on. If a rulespecifies attributes that do not uniquely identify the configurationitem, then multiple components may be represented as the sameconfiguration item in the CMDB. Also, if a rule specifies attributesthat change for a particular configuration item, duplicate configurationitems may be created.

Thus, when a data source provides information regarding a configurationitem to the identification and reconciliation API, the API may attemptto match the information with one or more rules. If a match is found,the configuration item is written to the CMDB. If a match is not found,the configuration item may be held for further analysis.

Configuration item reconciliation procedures may be used to ensure thatonly authoritative data sources are allowed to overwrite configurationitem data in the CMDB. This reconciliation may also be rules-based. Forinstance, a reconciliation rule may specify that a particular datasource is authoritative for a particular configuration item type and setof attributes. Then, the identification and reconciliation API will onlypermit this authoritative data source to write to the particularconfiguration item, and writes from unauthorized data sources may beprevented. Thus, the authorized data source becomes the single source oftruth regarding the particular configuration item. In some cases, anunauthorized data source may be allowed to write to a configuration itemif it is creating the configuration item or the attributes to which itis writing are empty.

Additionally, multiple data sources may be authoritative for the sameconfiguration item or attributes thereof. To avoid ambiguities, thesedata sources may be assigned precedences that are taken into accountduring the writing of configuration items. For example, a secondaryauthorized data source may be able to write to a configuration item’sattribute until a primary authorized data source writes to thisattribute. Afterward, further writes to the attribute by the secondaryauthorized data source may be prevented.

In some cases, duplicate configuration items may be automaticallydetected by reconciliation procedures or in another fashion. Theseconfiguration items may be flagged for manual de-duplication.

VI. Vulnerabilities

The vulnerabilities discussed herein may relate to known defects inhardware, operating systems, and/or software packages deployedthroughout a managed network. Exploitation of a vulnerability may resultin a negative impact to the data confidentiality, integrity, and/oravailability of one or more computing devices. Such vulnerabilities maybe associated with different severities.

For example, a first hypothetical vulnerability may be that opening acertain type of file in a word processing application provides aremotely-exploitable mechanism through which an attacker can gain accessto the computing device on which the word processing application isinstalled. This would likely be viewed a critical vulnerability, as itcould lead to unauthorized access to confidential data. On the otherhand, a second hypothetical vulnerability may be that providing certaininput to a web browsing application may cause the screen of thecomputing device on which the web browsing application is installed togo blank. This would likely be viewed as a non-critical vulnerability,as it is a mere annoyance to the user. Severity may be chosen, forexample, on a spectrum from critical (most severe), to high, to medium,to low (least severe).

Listings of known vulnerabilities are published by governments, as wellas various commercial entities. For example, the U.S. National Instituteof Standards and Technology (NIST) maintains a public nationalvulnerability database, listing known vulnerabilities, their severities,and their exploitability (e.g., how an attacker might go about using thevulnerability and how hard this process might be). Exploitability scalesmay include indications of whether a known exploit exists, how skilledan attacker would have to be to use the exploit, whether the attackerneeds physical access to a target computing device to use the exploit,and/or if the exploit can be used by way of a local or remote network.

Commercial listings may overlap with the government listings and withone another, but can include different vulnerability listings, and usedifferent severity scales and/or exploitability scales. Thesediscrepancies may be due to inherent subjectivity related to classifyingvulnerability severity and exploitability, or that these commercial andgovernmental entities have had different experiences when testing thevulnerability.

Each vulnerability may be associated with a number of fields, and eachfield may take on a value. Examples of possible field of a vulnerabilityinclude whether it is active, to whom it is assigned, its severity, areference to a configuration item on which it was detected, the IPaddress of a device on which it was detected, the DNS address of adevice on which it was detected, when it was detected (opened), a shortdescription of the vulnerability, a status of the vulnerability, and soon. A more complete list of these fields is provided in FIG. 9 .

It should be noted that vulnerabilities are not the same as activesecurity threats. Vulnerabilities indicate that a problem has beenidentified independent of whether the vulnerability has been actuallyexploited. Active security threats, on the other hand, are ongoingexploitations that often require immediate attention. For example, alive distributed denial of service (DDOS) attack should be addressed inreal time, regardless of whether any vulnerabilities that it uses areknown.

Thus, security managers address vulnerabilities as time allows based ontheir severities and other factors. Critical severity vulnerabilitiesmay be targeted for resolution within 3 days, for example, while highseverity vulnerabilities may be targeted for resolution within 30 days,and so on. Vulnerabilities with lower-level severities may be addressedon an as-time-permits basis or might not be scheduled for resolution atall, as these non-critical vulnerabilities may be deemed low enough riskthat security managers should be spending their time carrying out moreimportant tasks instead.

Addressing a vulnerability may occur in various ways. In some cases, thevendor of an operating system or software package with an identifiedvulnerability may publish an installable patch that resolves thevulnerability. Alternatively, the vendor or another party may identify aworkaround to the vulnerability, such as settings that mitigate orprevent the vulnerability from occurring. In some cases, securitymanagers may disable software packages with unpatched vulnerabilities orissue warnings to users until a patch or workaround is available. Inextreme situations, vulnerable software may be temporarily orpermanently removed from impacted computing devices. Nonetheless, once aresolution is available, security managers may schedule the resolutionto be applied in accordance with the severity of the vulnerability.

As the scope of computer networks and the extent of available softwarepackages have grown dramatically, so has the number of vulnerabilities.For instance, the NIST database identified 1537 new vulnerabilities inApril 2019 alone. This is in addition to other vulnerabilities that mayhave been identified in the past. As a result, there are over 117,000known vulnerabilities in the NIST database. Identifying thesevulnerabilities and their associated severities is not possible to do byhand even for a small managed network with just a few devices.

VII. Vulnerability Management Architecture

In order to be addressed, vulnerabilities are first detected on amanaged network. Given the intractability of doing so manually, a numberof software tools are available that perform automated vulnerabilitydetection. Some of these tools include, but are not limited to, NESSUS®,QUALYSGUARD®, and RAPID7®. For purposes of simplicity, variousvulnerability detection and assessment tools are referred to asthird-party vulnerability detection tools or vulnerability scanners inthe discussion below.

FIG. 6 depicts a vulnerability management architecture 600. Architecture600 includes managed network 300, remote network management platform320, and third-party vulnerability detection and assessment cloud 606(referred to as cloud 606 for short), all connected by Internet 350.

Managed network 300 is largely the same as shown in FIG. 3 , but justshowing configuration items 602, vulnerability scanner 604, and proxyserver(s) 312. Each of configuration items 602 may represent a virtualor physical computing device, a software application installed upon sucha computing device, or a service provided by one or more computingdevices. Vulnerability scanner 604 may be a dedicated unit of softwareand/or a virtual or physical computing device that is deployed withinmanaged network 300 to detect vulnerabilities relating to configurationitems 602. Thus, vulnerability scanner 604 may be referred to as avulnerability detection tool. Proxy server(s) 312 may take on the sameor similar functionality as described above.

In some embodiments, vulnerability scanner 604 may include a softwareagent that is deployed on multiple endpoints, where each endpoint isrepresented as one or more of configuration items 602. In these or otherembodiments, vulnerability scanner 604 may include one or more softwareapplications deployed on one or more dedicated computing devices. Ineither situation, vulnerability scanner 604 may scan or otherwiseremotely access configuration items 602 to detect vulnerabilities. Forexample, vulnerability scanner 604 may scan configuration items 602 -e.g., probe for open TCP/IP ports on computing devices, and/or log on tocomputing devices to determine the operating system, softwareapplications installed thereon, and versions thereof. In someembodiments, vulnerability scanner 604 may store the results of thesescans locally, may transmit the results to cloud 606, and/or maytransmit the results to computational instance 322 for processing byvulnerability response module 608 and/or storage in CMDB 500, forexample. Vulnerability scanner 604 may represent its results in variousways, such as an identification or description of the vulnerability, aswell as some information about the hardware or software component onwhich the vulnerability has been found. These representations mayinclude the vulnerability fields mentioned above and described below inmore detail.

Remote network management platform 320 is the same or similar to that ofFIG. 3 , but showing only one computational instance, computationalinstance 322, for sake of simplicity. Computational instance 322includes vulnerability response module 608 and CMDB 500. Vulnerabilityresponse module 608 may be an application configured to integratevulnerabilities found by vulnerability scanner 604 into CMDB 500. Asdescribed above, CMDB 500 may include representations of configurationitems 602, including multiple attributes for each.

Cloud 606 is an optional component that might not be present whenvulnerability scanner 604 stores the results of scans locally. However,when present, cloud 606 receives these results, and cloud 606 may storeand assess the results. For instance, cloud 606 may identifyvulnerabilities based on the operating system and version thereof,operating system configuration, software application and versionthereof, software configuration, and possibly other metrics as well. Theidentified vulnerabilities may be stored and then made available by wayof an interface, such as a web-based graphical user interface, aJavaScript Object Notation (JSON) interface, an XML interface, or someother form of interface.

In particular, vulnerability response module 608 may be configured toobtain the results of a vulnerability scan from cloud 606, or fromvulnerability scanner 604 by way of proxy server(s) 312. Vulnerabilityresponse module 608 may then use information that identifies theconfiguration item on which the vulnerability was found to look up theconfiguration item in CMDB 500. As part of this lookup process, theidentification rules and reconciliation techniques described above maybe used.

If the lookup results in a match, the vulnerability may be associatedwith the discovered configuration item in CMDB 500. If the lookup doesnot result in a match, then vulnerability response module 608 may createa new, unmatched configuration item in CMDB 500 based on thisidentifying information. Vulnerability response module 608 may thenassociate the vulnerability with this unmatched configuration item. Anunmatched configuration item may be similar to other configuration itemsexcept that it contains an attribute value indicating that it isunmatched.

As a consequence of this processing, some of the content of CMDB 500 mayresemble the arrangement of FIG. 7A. In particular, FIG. 7A providesexamples of configuration items stored in CMDB 500. Relationshipsbetween these configuration items are not shown for purposes ofsimplicity.

Configuration items 700, 702, and 704 are assumed to have been generatedin response to discovery processes executed by computational instance322, and therefore may be referred to as “discovered” configurationitems. As noted above, a discovered configuration item herein may be aconfiguration item that was provided to CMDB 500 by discovery processes,hardware or software asset management processes, purchase managementprocess, or manually, for example. Configuration items 712 and 714 areassumed to be unmatched configuration items generated in response tooperations of vulnerability scanner 604.

Configuration item 700 is associated with vulnerability 706. Thisassociation may have been made due to vulnerability scanner 604detecting vulnerability 706 on configuration item 700, and providingthis information to CMDB 500 by way of vulnerability response module608.

Configuration item 702 is not associated with any vulnerabilities. Thus,this configuration item is shown as not connected to a vulnerability.

Configuration item 704 is associated with vulnerabilities 708 and 710.Like configuration item 700, these associations may have been made dueto vulnerability scanner 604 detecting vulnerabilities 708 and 710 onconfiguration item 704, and providing this information CMDB 500 by wayof vulnerability response module 608.

Unmatched configuration item 712 is associated with vulnerabilities 716and 718. These associations may have been made due to vulnerabilityscanner 604 detecting vulnerabilities 716 and 718 on configuration item712, and providing this information CMDB 500 by way of vulnerabilityresponse module 608. However, vulnerability response module 608 wasunable to match configuration item 712 with any existing configurationitem (e.g., configuration items 700, 702, and 704). Thus, vulnerabilityresponse module 608 created configuration item 712 as an unmatchedconfiguration item.

Unmatched configuration item 714 is associated with vulnerability 720.Like unmatched configuration item 712, this association may have beenmade due to vulnerability scanner 604 detecting vulnerability 720 onconfiguration item 714, and providing this information CMDB 500 by wayof vulnerability response module 608. However, vulnerability responsemodule 608 was unable to match configuration item 714 with any existingconfiguration item (e.g., configuration items 700, 702, and 704). Thus,vulnerability response module 608 created configuration item 714 as anunmatched configuration item.

The arrangement of FIG. 7B shows the result of merge procedures on theconfiguration items of FIG. 7A. In particular, configuration item 712was merged with configuration item 700. By convention, when an unmatchedconfiguration item is merged with a configuration item generated bydiscovery procedures, the name of the latter is preserved. Thus, themerged configuration item is denoted configuration item 700, and themerge process can be considered to involve copying at least someinformation from unmatched configuration item 712 to configuration item700.

To that point, the merging of these two configuration items may involvecombining the attribute values of unmatched configuration item 712 withthose of configuration item 700 according to a set of rules. These rulesmay vary from attribute to attribute, and examples of such rules areprovided below.

After the initial merging of configuration item 712 and configurationitem 700, vulnerabilities 706, 716, and 718 are all associated withconfiguration item 700. But vulnerability 716 was determined to be thesame as vulnerability 706. As a consequence, these two vulnerabilitieswere merged - particularly, vulnerability 716 was merged intovulnerability 706. This may involve combining the field values ofvulnerability 716 with those of vulnerability 706 according to a set ofrules. These rules may vary from field to field, and examples of suchrules are provided below.

After the merge is complete, any memory used to store unmatchedconfiguration item 712 and vulnerability 716 may be freed, as therelevant information for both has been incorporated into configurationitem 700 and vulnerability 706, respectively. Freeing this memoryeliminates redundancy and increases the efficiency of CMDB 500.

An example of why the merging illustrated by FIGS. 7A and 7B might takeplace follows. For sake of argument, assume that configuration items 700and 712 both represent the same hardware component, e.g., a computingdevice in a managed network. When discovery was last executed, thecomputing device had an IP address of 192.168.0.10. But after thisdiscovery completed and before vulnerability scanner 604 performed anupdated scan on the computing device, its IP address wasadministratively changed to 10.1.2.3. When vulnerability response module608 initially attempted to match configuration item 712 to anotherconfiguration item in CMDB 500, it was unable to do so because of thisdiscrepancy between IP addresses. Therefore, vulnerability responsemodule 608 generated unmatched configuration item 712 as a placeholder,and associated detected vulnerabilities 716 and 718 with this unmatchedconfiguration item.

Nonetheless, in this scenario, the DNS name, NetBIOS name, and hardwareserial number of the computing device has not changed. Therefore, whenvulnerability response module 608 (or another software module) laterattempts to match unmatched configuration items, it may be able to do soby observing that the commonalities between the attributes ofconfiguration items 700 and 712 (DNS name, NetBIOS name, and hardwareserial number) far outweigh the difference (IP address). Thus,vulnerability response module 608 may determine that configuration items700 and 712 represent the same computing device, and may merge theseconfiguration items.

As noted above, once this configuration item merge takes place, afurther merge procedure may be performed on the vulnerabilities of themerged configuration item. In this scenario, vulnerabilities 706 and 716may both indicate that the computing device is configured with anunpatched version of an operating system that has a known exploit,whereas vulnerability 718 may indicate that the computing device isconfigured with a weak administrative password (e.g., less than 8characters). In particular, vulnerabilities 706 and 716 may sharenumerous field values in common, while vulnerability 718 has fieldvalues that are largely distinct from those of vulnerabilities 706 and716. Thus, vulnerability 716 may be merged into vulnerability 706, whilevulnerability 718 may be associated as is (or mostly as is) with themerged configuration item.

A goal of a CMDB (such as CMDB 500) is to be a source of truth regardingthe configuration of a managed network. As large managed networks canhave hundreds of thousands or even millions of configuration items, thisgoal becomes even more important to achieve. Whenever there areduplicate configuration items in the CMDB, such as unmatchedconfiguration items that could be merged into discovered configurationitems, the CMDB becomes more difficult to use and less trustworthy.

Further, duplicate configuration items and vulnerabilities unnecessarilyuse CMDB storage capacity that could be conserved or put to other uses.Also, as the CMDB grows, its performance may slow down accordingly.Therefore, it is desirable to be able to merge unmatched configurationitems and their associated vulnerabilities into discovered configurationitems as discussed above. After doing so, redundant configuration itemscan be removed from the CMDB, thereby improving CMDB accuracy andperformance.

VIII. Example Merge Procedures

This section describes example configuration item and vulnerabilitymerge procedures in detail. In particular, these procedures generallyadhere to three steps: (i) identifying unmatched configuration items tomerge into discovered configuration items, (ii) merging a specificunmatched configuration item into a specific discovered configurationitem based on their respective attribute values, and (iii) for a mergedconfiguration item, further merging any duplicating vulnerabilitiesassociated therewith based on their respective field values.

In the procedures below, it is assumed that one unmatched configurationitem is being processed at a time. Thus, even if two (or more) unmatchedconfiguration items represent the same component in managed network,they each may be separately merged with a discovered configuration item,e.g., the first unmatched configuration item is merged with a discoveredconfiguration item then the second unmatched configuration item ismerged with the same discovered configuration item. In this way, mergesmay occur in a serialized, pairwise fashion.

Notably, these procedures may take place at any time after the unmatchedconfiguration item is stored in the CMDB. Thus, these procedures may beconfigured to execute once per day or once per week, for example, or maybe manually triggered to execute.

A. Identifying Duplicate Configuration Items

An application, such as vulnerability response module 608, may beconfigured to compare unmatched configuration items with discoveredconfiguration items to identify duplicate configuration items that canbe merged. The exact procedure used for this step is beyond the scope ofthis document, but example embodiments are nonetheless described.

It is possible for duplicate configuration items to be manuallyidentified, e.g., by a user. For example, computational instance 322 maydisplay lists of configuration items in the CMDB on a web-basedinterface. The user may determine, based on his or her own personalknowledge and experience, that certain pairs of these configurationitems can be merged. Then, the user may manually perform the merge. Butwith large CMDBs (e.g., with tens of thousands of configuration items)such manual identification is error-prone and subjective, with differentusers potentially performing the identification and subsequent merges indifferent ways.

A more objective way to identify duplicate configuration items isthrough use of a software application that considers embeddings of therespective attribute values of configuration items. Thus, thisapplication may include embedding model, vector comparator, and vectormatcher sub-modules.

The embedding model may be a machine learning model, such an artificialneural network, configured to generate an embedding vector based on oneor more attribute values provided thereto as input. Thus, the embeddingmodel may be configured to generate candidate embedding vectors based onattribute values of discovered configuration items in CMDB 500. Theseembedding vectors may be referred to as candidate embedding vectorsbecause each is a potential match for an embedding vector generatedbased on attributes of the unmatched configuration item.

In some implementations, some or all of the attribute values may berepresented as character strings. Thus, the embedding model may be acharacter string embedding model configured to generate embeddingvectors based on the character strings. For example, embedding model mayinclude, utilize, and/or implement aspects of Word2Vec, GloVe, fastText,Gensim, or other word embedding architectures. In other implementations,some or all of the attribute values may be represented as integer and/orfloating point values, and thus the embedding model may be configured togenerate embedding vectors based on the integer and/or floating pointvalues. In yet other implementations, a combination of character string,integer, and/or floating point values inputs may be possible, and theembedding model may thus include different sub-models configured toprocess these different data formats.

The vector comparator may be configured to compare the embedding vectorgenerated from attributes of the unmatched configuration item to each ofthe candidate embedding vectors and determine corresponding similaritymetrics. Specifically, a comparison of this embedding vector with eachcandidate embedding vector may generate a different similarity metric.In some implementations, the similarity metric may be a Euclideandistance between the embedding vectors being compared. In otherimplementations, the similarity metric may be a cosine distance betweenthe embedding vectors being compared. Other similarity metrics arepossible. Regardless, the similarity metrics may measure respectivedistances between the embedding vector and each of the candidateembedding vectors in a vector space defined by embedding model. Thesedistances may be indicative of how similar attribute values of theunmatched configuration item are to each set of attribute values fromthe discovered configuration items.

The vector matcher may be configured to select, based on the similaritymetrics, a discovered configuration item that matches the unmatchedconfiguration item. Specifically, the vector matcher may select theconfiguration items associated with discovered attribute values thatmost closely match the attribute values of the unmatched configurationitem, as measured by way of the similarity metrics. In one example, thevector matcher may be configured to select the discovered configurationitem associated with the highest similarity metric. In another example,a discovered configuration item may be additionally or alternativelyselected based on its corresponding similarity metric exceeding athreshold similarity value, such as 75%, 80%, 90%, or another desiredthreshold value (which may also be expressed as a corresponding distancerather than a percentage). Thus, in some cases, selection of theconfiguration item may be automated.

In a further example, the vector matcher and/or other components of theapplication may be configured to display some of the similarity metricsby way of a user interface to allow for manual configuration itemmatching. For example, the n highest similarity metrics may bedisplayed, where n is an integer value such as 3, 4, 5, 8, etc., and maybe modifiable. In some cases, the user interface may also display one ormore attribute values of the unmatched configuration item and theattribute values of the discovered configuration items corresponding tothe n highest similarity metrics. A user may be able to select one ofthe discovered configuration items associated with the n highestsimilarity metrics based on the displayed information, therebyindicating a match for the unmatched configuration item. In some cases,the user may additionally or alternatively indicate that none of thediscovered configuration items represent the discovered computingresource, and the unmatched configuration item may remain unmerged.

B. Merging Configuration Items

In general, merging configuration items involves combining attributevalues of the unmatched configuration item and the discoveredconfiguration item. During this process, preference is usually given tothe attribute values of the discovered configuration item unless theseattribute values are empty or default. This is because attribute valuesof the discovered configuration item are generally considered to be morereliable than those of the unmatched configuration item.

But if the attribute values of the discovered configuration item areempty or default, the corresponding attribute values of the unmatchedconfiguration item may be used in some cases. Empty attribute values maybe null values or other forms of non-values. For example, a text-stringattribute value that is a zero-length string may be considered to havean empty value. Default attribute values are those assigned by thesystem (e.g., computational instance 322) by convention or in itsfreshly-installed (e.g., “out of the box”) state. Any attribute valuethat is not empty and not the default value is considered to have beenmodified - e.g., written to the CMDB by an application such as thediscovery application or manually changed.

Attribute preferences are specified in table 800 of FIG. 8 . Theleftmost column represents the attribute value of the unmatchedconfiguration item. The center column represents the attribute value ofthe corresponding discovered configuration item. The rightmost columnrepresents the source of the attribute value that will be chosen whenthe unmatched configuration item is merged into the discoveredconfiguration item.

For row 802, both sources have the default attribute value. As bothsources have the same attribute value, and either can be chosen for themerged configuration item.

For row 804, the unmatched configuration item has the default attributevalue and the discovered configuration item has an empty attributevalue. Thus, the attribute value of the unmatched configuration item ischosen.

For row 806, the unmatched configuration item has the default attributevalue and the discovered configuration item has a modified attributevalue. Thus, the attribute value of the discovered configuration item ischosen.

For row 808, the unmatched configuration item has an empty attributevalue and the discovered configuration item has the default attributevalue. Thus, the attribute value of the discovered configuration item ischosen.

For row 810, both sources have the empty attribute value. As bothsources have the same attribute value, and either can be chosen for themerged configuration item.

For row 812, the unmatched configuration item has the empty attributevalue and the discovered configuration item has a modified attributevalue. Thus, the attribute value of the discovered configuration item ischosen.

For row 814, the unmatched configuration item has a modified attributevalue and the discovered configuration item has the default attributevalue. Thus, the attribute value of the unmatched configuration item ischosen.

For row 816, the unmatched configuration item has a modified attributevalue and the discovered configuration item has the empty attributevalue. Thus, the attribute value of the unmatched configuration item ischosen.

For row 818, the unmatched configuration item has a modified attributevalue and the discovered configuration item has a modified attributevalue. Thus, the attribute value of the discovered configuration item ischosen.

Some embodiments may simplify this selection process by not making adistinction between default and empty attributes. In these embodiments,modified attribute values are given preference over empty / defaultattribute values, and modified attribute values of the discoveredconfiguration item are given preference over modified attribute valuesof the unmatched configuration item. If both configuration items have anattribute with empty or default values, either may be selected.

As a concrete example, suppose that an unmatched configuration item isbeing merged with a discovered configuration item, both representing aserver device. Because it was discovered, the discovered configurationitem would almost certainly have an attribute value for its IP address,which would be considered to be modified. Then, regardless of whetherthe corresponding attribute for the unmatched configuration item isempty, has the default value, or has been modified, the IP address ofthe discovered configuration item would be preserved during the mergeprocedure. However, if for some reason the discovered configuration itemhas an empty value for its IP address attribute and the unmatchedconfiguration item has a modified (non-empty, non-default) value for itsIP address attribute, then the IP address from the unmatchedconfiguration item will be preserved during the merge procedure.

Merging configuration items may also involve modifying any references tothe unmatched configuration item to instead refer to the discoveredconfiguration item. For example, other configuration items in the CMDBand/or tables in the CMDB may include references (e.g., pointers) to theunmatched configuration item. Since the unmatched configuration itemmight not exist after the merge process, these references should beupdated to point to the discovered configuration item. Additionalreferences may exist in other database tables, such as tables used byvarious remote network management platform applications, and thesereferences may be updated as well.

C. Merging Vulnerabilities of a Configuration Item

As noted above, when two or more configuration items are merged, theirassociated vulnerabilities are updated to refer to the mergedconfiguration item. But some of these vulnerabilities may be duplicatesof one another. For example, any two or more vulnerabilities referringto the same exploit and the same configuration item are effectivelyduplicates of one another and should also be merged. But mergingvulnerabilities can be more complicated than merging configurationitems. Thus, a rule-based approach may be used to determine how to mergeeach field of a vulnerability based on the type of the field and itscontent.

Generally speaking, vulnerabilities may have three different types offields: user-defined, system-defined, and application-defined.User-defined fields are fields that were added by the customer of theservices provided by the computational instance (e.g., the managednetwork), and may be identified with field names beginning with thecharacters “u_”. System-defined fields are fields that are defined bythe computational instance for all CMDB entries, includingvulnerabilities, and may be identified with field names beginning withthe characters “sys_”. Application-defined fields are those that aredefined by the vulnerability scanner or vulnerability response module,and may be identified with field names that do not begin with either thecharacters “u_” or the characters “sys_”. In some embodiments, more orfewer field types may be present, and each may have its own associatedset of rules for merging.

The rules for merging user-defined fields are relativelystraightforward. Of the two or more vulnerabilities to be merged, thenewest, non-empty value is selected.

TABLE 1 Merge Technique Description Oldest Among the values of the fieldfor the vulnerabilities to be merged, discard empty, null, and valuesequal to the default value for the field. From what remains, select thefield value that corresponds to the vulnerability with the earliestsys_created_on (see below) timestamp value. Newest Among the values ofthe field for the vulnerabilities to be merged, discard empty, null, andvalues equal to the default value attribute for the field. From whatremains, select the field value that corresponds to the vulnerabilitywith the most recent sys_modified_on (see below) timestamp value. MinAmong the values of the field for the vulnerabilities to be merged,discard empty, null, and values equal to the default value for thefield. From what remains, select the field value that corresponds to thevulnerability with the smallest field value. Max Among the values of thefield for the vulnerabilities to be merged, discard empty, null, andvalues equal to the default value for the field. From what remains,select the field value that corresponds to the vulnerability with thelargest field value. Concatenate This technique is typically used withreference fields and text-based fields. For a reference field such as ajournal, all of the field’s references for the vulnerabilities to bemerged are copied to reference the merged vulnerability. For text andother text-like fields like HTML, the values in the field for thevulnerabilities to be merged are appended together in date order, withduplicates removed.

The rules for merging system-defined fields can be found in Table 1.There are five merging techniques described therein. The “oldest” and“newest” rules operate on timestamps, while the “min” and “max” rulesoperate on ordered values (e.g., integers, floating point numbers,etc.). The “concatenate” rule operates on references, text, orstructured text, and typically combines the values from fields in thevulnerabilities to merge without preferring one vulnerability over theother. This is appropriate where the field is some form of activity log,such as a work notes field or a problem description field in whichagents or administrators add free-form text regarding the vulnerability.In these cases, it would be prudent to preserve all of this informationin the merged vulnerability. Other types of rules may be defined.

These rules are applied as follows. For the sys_id field (a uniqueidentifier of the vulnerability), the sys_created_on field (a timestampof when the vulnerability was created), and the sys_created_by field (anindicator of a user or entity that created the vulnerability), the“oldest” rule is applied. For the sys_updated_on field (a timestamp ofwhen the vulnerability was updated) and sys _updated_by field (anindicator of a user or entity that most recently updated thevulnerability), the “newest” rule is applied. For the sys_mod_countfield (the number of times the vulnerability was modified), the “max”rule is applied. For any other system-defined field, the “newest” ruleis applied. Alternative embodiments may apply the rules to fields in adifferent fashion.

Various applications may define their own application-specific fields.An example of fields defined by an example vulnerability scanner isshown Table 900 of in FIG. 9 . Table 900 has three columns. The leftmostcolumn is the name of the field, the middle column is the merge rule tobe used when merging values of this field from differentvulnerabilities, and the rightmost column is the type of data containingthe field.

Notably, Table 900 includes merge rules that include and go beyond thosedescribed above. For example, the “active” field value may be subject toa custom computation when merged, the “age_closed” field value may becalculated based on a difference between the “closed_at” and“age_closed” field values, and so on. A further merge rule is based onchoice list order, where the possible values of a field are static anddefined in a list. The field value can only be one of the values fromthe choice list, or null. The values in the choice list may be ordered,but may differ from the assigned order in the choice list. Thereforeminimum or maximum calculations in choice list order means the valuethat corresponds to the minimum or maximum order position in the choicelist and not necessarily the minimum or maximum value in the list.Further, the types of data may include tinyint (a 1-byte integer), int(a 4-byte integer), datetime (a data structure representing a date andtime, usually as two 4-byte integers), varchar(n) (an n-byte string),and mediumtext (a string with a maximum length of 16,777,215characters).

As example, values of the “work_notes” fields are concatenated in themerged vulnerability, whereas the value of the “assigned_to” field inthe merged vulnerability is the newest among the vulnerabilities thatare being merged. If fields not in this list are present in thevulnerabilities, the newest value is selected.

In some cases, the merged value of one field may rely upon the mergedvalue of another field. Thus, certain vulnerability fields may be mergedin a specific order due to these dependencies. An example may be the“state” and “substate” fields (not shown in FIG. 9 ).

The “state” field represents the state of the vulnerability, which mayhave values such as open, under investigation, awaiting implementation,resolved, deferred, and closed. The “substate” field may only have anon-empty value when the “state” value is closed. Therefore, values ofthe “state” fields in the vulnerable items should be merged before thevalues of the “substate” fields are merged.

Merging of the “state” fields occurs according to Table 1000 of FIG. 10. Table 1000 considers how the state field values of twovulnerabilities, vulnerability 1 and vulnerability 2, are merged. Theleftmost column represents the value of the “state” field ofvulnerability 1 and the second leftmost column represents the value ofthe “state” field of vulnerability 2. The second rightmost columnrepresents a merged value of the “state” field or another field ofvulnerability 1 that will be used to determine the merged state. Therightmost column represents a merged value of the “state” field or afield of vulnerability 2 that will be used to determine the mergedstate. When a merged value of the “state” field is present for acombination of “state” field values of vulnerability 1 and vulnerability2, it is the same in both the second rightmost and rightmost columns.

The merge process proceeds as follows. The “state” field values ofvulnerability 1 and vulnerability 2 are considered. If the secondrightmost and rightmost columns indicate a merged value, then that valuewill be used in the “state” field of the merged vulnerability. Forexample, as shown in Table 1000, when vulnerability 1 is in any of theunder investigation, awaiting implementation or in review states, thatstate will be used as the merged “state” value when vulnerability 2 isin the open state.

If the second rightmost and rightmost columns indicate fields of theirrespective vulnerabilities, then the values of these two fields arecompared and the greater of the values determines which “state” fieldvalue is used in the merged vulnerability. For example, when the “state”field value of vulnerability 1 is resolved and the “state” field valueof vulnerability 2 is open, the value of the resolution_date field ofvulnerability 1 is compared to the value of the opened_at field ofvulnerability 2. If the resolution_date field has the greater value, the“state” field value of the merged vulnerability will be resolved. If theopened_at field has the greater value, the “state” field value of themerged vulnerability will be open.

Further, value of the “substate” field in the merged vulnerability isset to empty unless the value of the “state” field in the mergedvulnerability is closed. In the latter case, the value of the “substate”field is that of the vulnerability from which the closed stateoriginated.

IX. Example Operations

FIG. 11 is a flow chart illustrating an example embodiment. The processillustrated by FIG. 11 may be carried out by a computing device, such ascomputing device 100, and/or a cluster of computing devices, such asserver cluster 200. However, the process can be carried out by othertypes of devices or device subsystems. For example, the process could becarried out by a computational instance of a remote network managementplatform.

The embodiments of FIG. 11 may be simplified by the removal of any oneor more of the features shown therein. Further, these embodiments may becombined with features, aspects, and/or implementations of any of theprevious figures or otherwise described herein.

Block 1100 may involve determining that an unmatched configuration itemand a particular configuration item both represent a specific componentof a managed network, wherein the unmatched configuration item isassociated with a first set of attribute values and a firstvulnerability, wherein the first vulnerability is associated with afirst set of field values, wherein the particular configuration item isassociated with a second set of attribute values and a secondvulnerability, and wherein the second vulnerability is associated with asecond set of field values.

Block 1102 may involve merging the unmatched configuration item into theparticular configuration item, wherein preference is given to modifiedvalues of the second set of attribute values over corresponding valuesof the first set of attribute values.

Block 1104 may involve determining that the first vulnerability and thesecond vulnerability both represent a specific vulnerability of thespecific component. For example, each instance of a vulnerability of theunmatched configuration item and the particular configuration item mayhave a reference field to a unique vulnerability data database (e.g.,governmental or private). All vulnerabilities in such a database arecataloged as entries with unique identifiers and other relatedinformation in a separate table. When both instances of vulnerabilitiesof the configuration items reference the same entry record in thedatabase, then each instance is the same vulnerability.

Block 1106 may involve merging the first vulnerability into the secondvulnerability based on rules that consider content and types of thefirst set of field values and the second set of field values.

Block 1108 may involve deleting the unmatched configuration item and thefirst vulnerability.

In some embodiments, merging the unmatched configuration item into theparticular configuration item comprises updating references that pointto the unmatched configuration item so that they point to the particularconfiguration item.

In some embodiments, the modified values of the second set of attributevalues are non-empty and non-default values.

In some embodiments, giving preference to the modified values of thesecond set of attribute values over corresponding values of the firstset of attribute values comprises: (i) giving preference to the modifiedvalues of the second set of attribute values over corresponding valuesof the first set of attribute values that are modified, default, orempty, and (ii) giving preference to default values of the second set ofattribute values over corresponding values of the first set of attributevalues that are empty.

In some embodiments, preference is also given to modified values of thefirst set of attribute values over corresponding values of the secondset of attribute values that are default or empty.

Some embodiments may involve: (i) determining that a further unmatchedconfiguration item and the particular configuration item both representthe specific component, wherein the further unmatched configuration itemis associated with a further set of attribute values and a furthervulnerability, and wherein the further vulnerability is associated witha further set of field values; (ii) merging the further unmatchedconfiguration item into the particular configuration item, whereinpreference is given to the modified values of the second set ofattribute values over corresponding values of the further set ofattribute values; (iii) determining that the further vulnerability andthe second vulnerability both represent the specific vulnerability; (iv)merging the further vulnerability into the second vulnerability based onthe rules; and (v) deleting the further unmatched configuration item andthe further vulnerability.

In some embodiments, the types are either user-defined, system-defined,or application-defined, wherein user-defined fields are defined by anentity associated with the managed network, wherein system-definedfields are defined by an entity associated with the system, and whereinapplication-defined fields are defined by an entity associated with anapplication that identified the unmatched configuration item. Merging auser-defined field may involve giving preference to a newest, non-emptyvalue of the user-defined field from among corresponding field values ofthe first vulnerability and the second vulnerability. Merging asystem-defined field or an application-defined field may involve either:(i) giving preference to an oldest, newest, lowest or highest value ofthe system-defined field or the application-defined field from amongcorresponding field values of the first vulnerability and the secondvulnerability, or (ii) concatenating the corresponding field values ofthe first vulnerability and the second vulnerability.

In some embodiments, merging a specific field of the first vulnerabilityinto the second vulnerability comprises either: (i) giving preference toan oldest, newest, lowest or highest value of the specific field fromamong corresponding field values of the first vulnerability and thesecond vulnerability, or (ii) concatenating the corresponding fieldvalues of the first vulnerability and the second vulnerability.

In some embodiments, the rules require that a first field in the firstvulnerability and the second vulnerability is merged before a secondfield in the first vulnerability and the second vulnerability is merged.

X. Closing

The present disclosure is not to be limited in terms of the particularembodiments described in this application, which are intended asillustrations of various aspects. Many modifications and variations canbe made without departing from its scope, as will be apparent to thoseskilled in the art. Functionally equivalent methods and apparatuseswithin the scope of the disclosure, in addition to those describedherein, will be apparent to those skilled in the art from the foregoingdescriptions. Such modifications and variations are intended to fallwithin the scope of the appended claims.

The above detailed description describes various features and operationsof the disclosed systems, devices, and methods with reference to theaccompanying figures. The example embodiments described herein and inthe figures are not meant to be limiting. Other embodiments can beutilized, and other changes can be made, without departing from thescope of the subject matter presented herein. It will be readilyunderstood that the aspects of the present disclosure, as generallydescribed herein, and illustrated in the figures, can be arranged,substituted, combined, separated, and designed in a wide variety ofdifferent configurations.

With respect to any or all of the message flow diagrams, scenarios, andflow charts in the figures and as discussed herein, each step, block,and/or communication can represent a processing of information and/or atransmission of information in accordance with example embodiments.Alternative embodiments are included within the scope of these exampleembodiments. In these alternative embodiments, for example, operationsdescribed as steps, blocks, transmissions, communications, requests,responses, and/or messages can be executed out of order from that shownor discussed, including substantially concurrently or in reverse order,depending on the functionality involved. Further, more or fewer blocksand/or operations can be used with any of the message flow diagrams,scenarios, and flow charts discussed herein, and these message flowdiagrams, scenarios, and flow charts can be combined with one another,in part or in whole.

A step or block that represents a processing of information cancorrespond to circuitry that can be configured to perform the specificlogical functions of a herein-described method or technique.Alternatively or additionally, a step or block that represents aprocessing of information can correspond to a module, a segment, or aportion of program code (including related data). The program code caninclude one or more instructions executable by a processor forimplementing specific logical operations or actions in the method ortechnique. The program code and/or related data can be stored on anytype of computer readable medium such as a storage device including RAM,a disk drive, a solid state drive, or another storage medium.

The computer readable medium can also include non-transitory computerreadable media such as computer readable media that store data for shortperiods of time like register memory and processor cache. The computerreadable media can further include non-transitory computer readablemedia that store program code and/or data for longer periods of time.Thus, the computer readable media may include secondary or persistentlong term storage, like ROM, optical or magnetic disks, solid statedrives, or compact-disc read only memory (CD-ROM), for example. Thecomputer readable media can also be any other volatile or non-volatilestorage systems. A computer readable medium can be considered a computerreadable storage medium, for example, or a tangible storage device.

Moreover, a step or block that represents one or more informationtransmissions can correspond to information transmissions betweensoftware and/or hardware modules in the same physical device. However,other information transmissions can be between software modules and/orhardware modules in different physical devices.

The particular arrangements shown in the figures should not be viewed aslimiting. It should be understood that other embodiments can includemore or less of each element shown in a given figure. Further, some ofthe illustrated elements can be combined or omitted. Yet further, anexample embodiment can include elements that are not illustrated in thefigures.

While various aspects and embodiments have been disclosed herein, otheraspects and embodiments will be apparent to those skilled in the art.The various aspects and embodiments disclosed herein are for purpose ofillustration and are not intended to be limiting, with the true scopebeing indicated by the following claims.

What is claimed is:
 1. A method comprising: determining that a firstconfiguration item and a second configuration item both represent aspecific hardware or software component, wherein the first configurationitem is associated with a first vulnerability and the secondconfiguration item is associated with a second vulnerability; mergingthe first configuration item and the second configuration item;determining that the first vulnerability and the second vulnerabilityboth represent a specific vulnerability of the specific hardware orsoftware component; and merging the first vulnerability and the secondvulnerability.
 2. The method of claim 1, wherein at least one of thefirst configuration item and the second configuration item is anunmatched configuration item that was found by a vulnerability detectionapplication.
 3. The method of claim 1, further comprising: deleting oneof the first configuration item and the second configuration item. 4.The method of claim 1, further comprising: deleting one of the firstvulnerability and the second vulnerability.
 5. The method of claim 1,wherein the first configuration item is associated with a first set ofattribute values and the second configuration item is associated with asecond set of attribute values, and wherein merging the firstconfiguration item and the second configuration item comprises mergingthe first set of attribute values and the second set of attribute valueswith preference given to modified attribute values over correspondingunmodified attribute values.
 6. The method of claim 1, wherein the firstconfiguration item is associated with a first set of attribute valuesand the second configuration item is associated with a second set ofattribute values, and wherein merging the first configuration item andthe second configuration item comprises merging the first set ofattribute values and the second set of attribute values with preferencegiven to any attribute values that are non-empty or non-default.
 7. Themethod of claim 1, wherein merging the first configuration item and thesecond configuration item comprises: merging the first configurationitem into the second configuration item; and updating references thatrefer to the first configuration item so that they refer to the secondconfiguration item.
 8. The method of claim 1, wherein merging the firstconfiguration item and the second configuration item comprises mergingthe first configuration item into the second configuration item, andwherein merging the first vulnerability and the second vulnerabilitycomprises merging the first vulnerability into the second vulnerability,the method further comprising: determining that a further configurationitem and the second configuration item both represent the specifichardware or software component, wherein the further configuration itemis associated with a further vulnerability; merging the furtherconfiguration item into the second configuration item; determining thatthe further vulnerability and the second vulnerability both representthe specific vulnerability; and merging the further vulnerability intothe second vulnerability.
 9. The method of claim 1, wherein merging thefirst vulnerability and the second vulnerability is based on fieldvalues of the first vulnerability and the second vulnerability.
 10. Themethod of claim 9, wherein merging the first vulnerability and thesecond vulnerability is further based on types of the field values,wherein the types are either user-defined, system-defined, orapplication-defined, wherein user-defined fields are defined by anentity associated with the specific hardware or software component,wherein system-defined fields are defined by an entity associated with asystem in which the specific hardware or software component is disposed,and wherein application-defined fields are defined by an entityassociated with an application that identified at least one of the firstconfiguration item or the second configuration item.
 11. The method ofclaim 10, wherein merging a user-defined field comprises givingpreference to a newest, non-empty value of the user-defined field fromamong corresponding field values of the first vulnerability and thesecond vulnerability.
 12. The method of claim 10, wherein merging asystem-defined field or an application-defined field comprises either:(i) giving preference to an oldest, newest, lowest or highest value ofthe system-defined field or the application-defined field from amongcorresponding field values of the first vulnerability and the secondvulnerability, or (ii) concatenating the corresponding field values ofthe first vulnerability and the second vulnerability.
 13. The method ofclaim 1, wherein determining that the first configuration item and thesecond configuration item both represent the specific hardware orsoftware component comprises: based on first content of the firstconfiguration item, generating a first vector representation of thefirst configuration item; based on second content of the secondconfiguration item, generating a second vector representation of thesecond configuration item; and determining that a distance between thefirst vector representation and the second vector representation is lessthan a threshold value.
 14. A non-transitory computer-readable mediumstoring program instructions that, when executed by one or moreprocessors of a computing system, cause the computing system to performoperations comprising: determining that a first configuration item and asecond configuration item both represent a specific hardware or softwarecomponent, wherein the first configuration item is associated with afirst vulnerability and the second configuration item is associated witha second vulnerability; merging the first configuration item and thesecond configuration item; determining that the first vulnerability andthe second vulnerability both represent a specific vulnerability of thespecific hardware or software component; and merging the firstvulnerability and the second vulnerability.
 15. The non-transitorycomputer-readable medium of claim 14, wherein the first configurationitem is associated with a first set of attribute values and the secondconfiguration item is associated with a second set of attribute values,and wherein merging the first configuration item and the secondconfiguration item comprises merging the first set of attribute valuesand the second set of attribute values with preference given to modifiedattribute values over corresponding unmodified attribute values.
 16. Thenon-transitory computer-readable medium of claim 14, wherein the firstconfiguration item is associated with a first set of attribute valuesand the second configuration item is associated with a second set ofattribute values, and wherein merging the first configuration item andthe second configuration item comprises merging the first set ofattribute values and the second set of attribute values with preferencegiven to any attribute values that are non-empty or non-default.
 17. Thenon-transitory computer-readable medium of claim 14, wherein merging thefirst configuration item and the second configuration item comprises:merging the first configuration item into the second configuration item;and updating references that refer to the first configuration item sothat they refer to the second configuration item.
 18. The non-transitorycomputer-readable medium of claim 14, wherein merging the firstvulnerability and the second vulnerability is based on field values ofthe first vulnerability and the second vulnerability.
 19. Thenon-transitory computer-readable medium of claim 18, wherein merging thefirst vulnerability and the second vulnerability is further based ontypes of the field values, wherein the types are either user-defined,system-defined, or application-defined, wherein user-defined fields aredefined by an entity associated with the specific hardware or softwarecomponent, wherein system-defined fields are defined by an entityassociated with a system in which the specific hardware or softwarecomponent is disposed, and wherein application-defined fields aredefined by an entity associated with an application that identified atleast one of the first configuration item or the second configurationitem.
 20. A computing system comprising: one or more processors; memory;and program instructions, stored in the memory, that upon execution bythe one or more processors cause the computing system to performoperations comprising: determining that a first configuration item and asecond configuration item both represent a specific hardware or softwarecomponent, wherein the first configuration item is associated with afirst vulnerability and the second configuration item is associated witha second vulnerability; merging the first configuration item and thesecond configuration item; determining that the first vulnerability andthe second vulnerability both represent a specific vulnerability of thespecific hardware or software component; and merging the firstvulnerability and the second vulnerability.